[Owasp-appsensor-project] Custom AppSensorSecurityConfiguration

Theo van Niekerk theovn at owasp.org
Wed Aug 24 09:24:52 EDT 2011


Hi John

Thanks for your reply - I'll try and file a bug/issue.

I store the Master-key (password protected) in a Key-store (also password protected).
My app has an obscure webpage that asks for these 2 passwords to load the Master-key in memory where it is kept 
The app won't run - returns 503 on most dynamic pages - unless the key is loaded.
Downside is on a server restart, an operator needs to enter the passwords.
Upside is that one can make the statement that 2 operators each with their own password are required to start the app. 
I think that if you are not involved/aware of a server/app restart then you are doing something wrong.
 
I don't mind sharing/contributing the code - it works for me, but it's not a work of art.

Cheers
Theo

On 24 Aug 2011, at 14:54, John Melton wrote:

> Theo,
> In short, this is currently not possible with AppSensor. Could you file a
> bug at http://code.google.com/p/appsensor/issues/list so that we can track
> this and get the functionality added in to handle it?
> Also, just a quick question - if you can offer specifics, what are you doing
> generally to "encrypt/protect the key"? I know a lot of folks have
> complained that they would like to separate the master key out to another
> file, but it's not encrypted then - just filesystem controls on the actual
> key file. The issue is if you encrypt it, then you have another key to
> manage ... so what are you actually doing?
> 
> Thanks,
> John
> 
> On Wed, Aug 24, 2011 at 7:52 AM, Theo van Niekerk <theovn at owasp.org> wrote:
> 
>> Hi
>> 
>> I'm using my own SecurityConfiguration class for ESAPI. I have a
>> requirement to protect/encrypt the Master key and the
>> DefaultSecurityConfiguration setup can't do that.
>> 
>> I want to use AppSensor, but it requires ESAPI to use the
>> org.owasp.appsensor.AppSensorSecurityConfiguration.
>> 
>> I can adapt my own SecurityConfiguration to include the
>> AppSensorSecurityConfiguration stuff but how to I configure AppSensor to use
>> this config. AppSensor ignores the
>> -Dorg.owasp.esapi.SecurityConfiguration=... setting.
>> 
>> What to do?
>> 
>> Cheers
>> Theo
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> 



More information about the Owasp-appsensor-project mailing list